00. Exposing a Portfolio of Pay Per Install Rogue and Fraudulent and Malicious Affiliate 
Network Domains - An OSINT Analysis 
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It used to be a moment when the growing pay per install underground economy business model 
was booming where the primary monetization factor in point was the use of fake security 
software where the primary goal of the cybercriminals throughout the period of 2008-2013 was 
to entice millions of users into falling victim into and installing rogue and fake security software 
on their hosts with the bad guys earning millions of dollars in the process. 


In this OSINT analysis WhoisXML API DNS Threat Researcher Dancho Danchev will provide 
actionable intelligence including personally identifiable information on some of the most prolific 
pay per install affiliate based network revenue sharing schemes providers circa 2008-2013 with 
the idea to assist the security industry and U.S Law Enforcement on its way to track down 
monitor and prosecute the cybercriminals behind these campaigns. 
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Sample high-profile pay per install affiliate based domains known to have been 
participating in the campaigns include: 
vipsoftcash[.]com 

iframevip[.]Jcom 

avicash[.]com 

softmonsters[.]biz 

cashboon].]biz 

loader[.]cc 

luxecash[.]com 

iframepartners[.]Jcom 

installsforyou[.]biz 

topsale2[.]ru 

cashcodec[.]com 

go-go-cash[.]Jcom 


oxocash[.]Jcom 
3xl-cash2[.]Jcom 
3xlpartnership[.]Jcom 
installs4sale[.]Jcom 
profitclick[.Jorg 
megatraffer[.]Jcom 
oemcash[.]com 
goldencashworld[.]biz 
topsale[.Jus 
installsmarket[.]Jcom 
profit-cash[.]biz 
ADWSearch[.]com 
ovocash[.]Jcom 
loadsprofit[.]com 
exerevenue[.]Jcom 
adwaredollars[.]Jcom 
yabucks[.]com 
installing[.Jcc 
installconverter[.]com 
topsale[.Jus 
bakasoftware[.]com 
goldencashworld[.]net 
niftystats[.]Jcom 
niftystats[.]Jcom 
royal-cash[.]com 
dogmasoftware[.]com 
3xlsoftware[.]Jcom 
rashacash[.]com 
3xltop[.]Jcom 
vipinstall[.Jon 
installercash[.]Jcom 
spicycodec[.]Jcom 
softwareprofit[.]com 
codecmoney[.]biz 
trafcash[.]com 
smilecash[.]biz 
bucksloads[.]com 
traffic-converter[.]biz 
eupays[.]Jcom 
seocash[.]us 
vipppc[.]ru 
cashwrestler[.]com 
VipSoftCash[.]com 
vscstatistics[.]Jcom 


vipsoftcashstats[.]Jcom 
Spy-Partners[.]com 
vippirog[.Jcom 
cashbotnet[.]com 
installsforyou[.]biz 
profit-cash[.]biz 
bestcash][.]biz 
VisitPay[.Jcom 
partnerka[.Jcom 
spy-partners[.]com 
download4money[.]com 
luxecash[.]net 
iframe911[.]com 
LOADBUCKSJ.]BIZ 
Cashpanic[.]Jcom 
longbucks[.]Jcom 
drugrevenue[.]com 
evapharmacy[.]ru 
bucksloads[.]com 
spydevastator[.Jcom 
softcash[.]org 
3xlsoftware[.]Jcom 
rashacash[.]com 
3xlcash[.]Jcom 
spicycodec[.]Jcom 
buckster[.]ru 
trafficconverter2[.]biz 
bucksware|[.]com 
bucksware-admin[.]Jcom 
mac-codec[.]com 
traffic-converter[.]biz 
klikadult[.Jcom 
goldencash[.]com 
payperinstall[.Jorg 
pay-per-install[.]Jcom 
pay-per-install[.Jorg 
zangocash[.]Jcom 
iframebiz[.]Jcom 
webmaster-money[.]org 
cash4toolbar[.]com 
toolbar4cash[.]com 
bluechillies[.]com 
adwaredollars[.]com 
iframestat[.Jorg 


snapinstalls[.Jcom 
installercash[.Jcom 
installcash[.Jorg 
earnperinstall[.Jcom 
dollarsengine[.]Jcom 
installercash[.]Jcom 
vombacash[.]com 
softahead[.]com 
iframestat[.Jorg 
antispy[L.Jws 
sexprofit[.]Jcom 
evapharmacy-login[.]biz 
vipsoftcash[.]com 
glavmed[.]com 
drawn-cash[.]com 
vippay[.Jcom 
bucksware-admin[.]Jcom 
www/[.]system-protector[.]net 
sys-scan-1[.]biz 
sys-scan-wiz[.]biz 
topsale2[.]ru 
earning4u[.]Jcom 
flashdollars[.]Jcom 
installing[.Joc 
siteload[.Jcn 
hostnsload[.]cn 
siteinstall[.Jon 
hostnsinstall[.Jcn 
jjupsport[.Jru 
installz[.Jcn 
adware-help[.]com 
fliporn[.]com 
dailybucks[.]org 
installloader[.]Jcom 
installaga[.Jcn 
georgenatas[.]in 
naemnitibo[.]in 
tirosanare[.]in 
mialo-goodle[.]info 
nailcash[.]Jcom 
ultraantivirus2009[.]com 
nailcash[.]Jcom 
virusalarmpro[.]Jcom 
vmfastscanner[.]Jcom 


mysuperviser[.]com 
virusmelt[.]Jcom 
payvirusmelt[.Jcom 
updvmfnowJ[.]cn 
mysupervisor[.]net 
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Sample personal email address accounts known to have been involved in the campaigns 
include: 


ancientholdings@fastmail.fm 
barybadrinath@Hotmail.com 
tvmt2000@yahoo.com 
ididid828@gmail.com 
zuev@film.ru 
new@loveplus.in 


trg1995@gmail.com 
chief@traff.in 
seek99com@yahoo.com 
ztao72945@gmail.com 
redsunray@hotmail.com 
zuev@cmedia-online.ru 
SexPicker@gmail.com 
larsonown@gmail.com 
pvc6168@sina.com 
325214476@qq.com 
aggsudarman@gmail.com 
miok2001@mail.ru 
oem.myrian@gmail.com 
silvana@usa.net 
danny9@gmail.com 
flipornlee@gmail.com 
domain-hk@outlook.com 
domainaccount@protonmail.com 
topsaleus@gmail.com 
domain@aaa.li 
windinv@yahoo.com 
8plusbiz@gmail.com 
XiongYang@teleworm.com 
newseowork12@gmail.com 
sima.jogminaite@inbox.It 
supportboom@gmail.com 
investicijos@inbox. It 
marion@redtarget.info 
charles80@mail.ru 
onlineprivacy@aol.com 
ppcseo2@gmail.com 
WINDINV@YAHOO.COM 
229848501 @qq.com 
Imunozv1 @live.com 
bdmailhere@gmail.com 
qaz1245511@163.com 
494367419@qq.com 
milen.radumilo@gmail.com 
timemoney2015@ya.ru 
phone49012@yahoo.com 
johnson8402@post.com 
daniel.bastien@gmail.com 
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maxpark.com wow-impulse.net partnerks.com 
© © © © © 
moysport.com mapaba.net ae gidepark.com express888.com 
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superlive.kz express888.us 


We'll continue monitoring the campaigns and post updates as soon as new developments take 
place. 


